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Abstract — We derive a new upper bound for Eve's information 
in secret key generation from a common random number without 
communication. This bound improves on Bennett|7|'s bound 
based on the Renyi entropy of order 2 because the bound 
obtained here uses the Renyi entropy of order 1 + s for s G [0, 1]. 
This bound is applied to a wire-tap channel. Then, we derive an 
exponential upper bound for Eve's information. Our exponent is 
compared with Hayashi|8|'s exponent. For the additive case, the 
bound obtained here is better. The result is applied to secret key 
agreement by public discussion. 

Index Terms — exponential rate, non-asymptotic setting, secret 
key agreement, universal hash function, wire-tap channel 



I. Introduction 

THE study of secure communication in the presence of an 
eavesdropper began with Wyner|10|. Following Wyner, 
Csiszar & K6rner|3| dealt with this topic. In this study, we 
consider a sender Alice, an authorized receiver Bob and an 
unauthorized receiver Eve, who is referred to as a wire-tapper. 
This research treats two channels, a channel to Bob and a 
channel to Eve; such a model is called a wire-tap channel. 
Whereas the studies above treated the discrete memoryless 
case, Hayashi|8| derived a general capacity formula for an 
arbitrary sequence of wire-tap channels. In this model, amount 
of Eve's accessible information is given by the mutual infor- 
mation Ie{^) between Alice's and Eve's variables with the 
code and is abbreviated to Eve's information. 

As was shown by Csiszar [VTj, in the discrete memoryless 
case, if the transmission rate is less than the capacity and 
if we choose suitable codes. Eve's information goes to zero 
exponentially. That is, when the given channel is used with 
n times. Eve's information Ie{^ji) with a suitable code 
behaves as e""''. In order to estimate the speed of the 
convergence, we focus on the exponential decreasing rate of 
Eve's information, which is referred to as the exponent of 
Eve's information: 

lim ^log/i;($„). (1) 

HayashilHl estimates this exponent for the wire-tap channels 
in the discrete memoryless case. This type of evaluation is 
quite useful for estimating Eve's information from a finite- 
length code. The first purpose of this paper is to improve the 
previous exponent of Eve's information. 
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On the other hand, using the Renyi entropy of order 2, 
Bennett et al |7| evaluate Eve's information after the applica- 
tion of a universal2 hashing function[4|. Their result gives an 
upper bound of Eve's information for the generation of a secret 
key from a common random number without communication. 
Renner and Wolf 1 16] and Renner [14 | improved this approach 
and obtained evaluations based on smooth Renyi entropy. 
Renner |14| applied his method to the security analysis of 
quantum key distribution. However, no research studied the 
relation between these results related to various kinds of Renyi 
entropies and the above results concerning wire-tap channel. 

The main purpose of this paper is to generalize Bennett et al 
Q's result and to apply it to wire-tap channel model. As the 
first step, in Section [III we focus on secret key generation from 
a common random number without communication. Even in 
this model, we highlight the exponent of Eve's information in 
the case of independent and identical distribution (i.i.d. case). 
In subsection III-AI we extend the result of Bennett et al Q 
to the case of the Renyi entropy of order 1 + s for s e [0, 1] 
and obtain a new upper bound for Eve's information in this 
problem as the main theorem. We apply this bound to the i.i.d. 
case. Then, derived a lower bound of the exponent of Eve's 
information. In subsection III-BI we also apply Renner and 
Wolf 1 16rs method to the evaluation of the exponent of Eve's 
information. Then, another lower bound is derived based on 
smooth Renyi entropy. It is shown that the lower bound based 
on Renyi entropy of order 1 + s is better than that based on 
smooth Renyi entropy. 

In Section Hill applying the evaluation obtained in subsec- 
tion III-AI we derive an upper bound for Eve's information 
from random coding in a wire-tap channel. The upper bound 
obtained here satisfies the concavity property with respect to 
the distribution of Alice's system. This property is essential for 
connecting this proof with secret key generation from a com- 
mon random number without communication. The method we 
present contrasts with the method in Hayashi[8|. Hayashi[l8] 
deals with channel resolvability and applies it to the security 
of wire-tap channel; This approach was strongly motivated 
by Devetak [11] and Winter et al [12J. In Section |IV] we 
show that this upper bound for Eve's information is better 
than Hayashi|8|'s bound for the wire-tap channel model. 

In a realistic setting, it is usual to restrict our codes to linear 
codes. However, no existing result gives a code satisfying the 
following conditions: (1) The code is constructed by linear 
codes. (2) Eve's information exponentially goes to zero when 
the transmission rate is smaller than the difference between 
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the mutual information from Alice to Bob and that to Eve. In 
Section |V] we make a code satisfying the above conditions. 
That is, we make our code generated by a combination 
of arbitrary linear codes and privacy amplification by the 
concatenation of Toeplitz matrix f6l and the identity. Under 
this kinds of code, we obtain the same upper bound for Eve's 
information, when the channel is an additive channel, i.e., the 
probability space and the set of input signals are given as 
the same finite module and the probability transition matrix 
Wa{b) corresponding to the channel is given as P{a — b) with 
a probability distribution on the finite module. This fact holds 
when the channel is a variant of an additive channel. 

In Section [Vll we also apply our result to secret key 
agreement with public discussion, which has been treated by 
Ahlswede & Csiszar|2|, Maurer|l|, and Muramatsu| 15| et 
al. Maurer HI and Ahlswede & Csiszar[2| showed that the 
optimal key generation rate is the difference of conditional 
entropies H{A\E) - H{A\B), where A, B, E are the random 
variables for Alice, Bob, and Eve, respectively. However, 
no existing result gives a bound for Eve's information that 
exponentially goes to zero when the key generation rate is 
smaller than H{A\E) — H{A\B). Applying our result, we 
obtain an upper bound of Eve's information satisfying the 
above condition. In this case, we apply our code to a wire- 
tap channel with a variant of additive channels. Our protocol 
can be realized by a combination of a linear code and privacy 
amplification by the concatenation of Toeplitz matrix [61 and 
the identity. 

In Appendix |A] we prove the main theorem mentioned in 
Section In Appendix |B] we show that the concatenation 
of Toeplitz matrix 13 and the identity is a universal2 hashing 
function 0. 

II. Secret key generation without communication 

A. Method based on Renyi entropy of order 1 + s 

Firstly, we consider the secure key generation problem from 
a common random number a A which has been partially 
eavesdropped on by Eve. For this problem, it is assumed that 
Alice and Bob share a common random number a ^ A, and 
Eve has another random number e <E £, which is correlated 
to the random number a. The task is to extract a common 
random number /(a) from the random number a ^ A, which 
is almost independent of Eve's random number e E £. Here, 
Alice and Bob are only allowed to apply the same function 
/ to the common random number a G .4. In order to discuss 
this problem, for s e [0,1], we define the Renyi entropy of 
order 1 + s: 

and the conditional Renyi entropy of order 1 -j- 5: 

x.y 

x,y 

If there is no possibiUty for confusion, P^--^ is omitted. 



Now, we focus on an ensemble of the functions /x from A 
to {1, . . . , Af }, where X denotes a random variable describing 
the stochastic behavior of the function /. An ensemble of the 
functions /x is called universal2 when it satisfies the following 
condition r?!: 

Condition 1: Voi ^ Va2 G A, the probability that 
/x(ai) = /x(a2) is at most ^. 

Indeed, when the cardinality |^| is a power of a prime power 
q and M is another power of the same prime power q, the 
ensemble {/x} is given by the the concatenation of Toeplitz 
matrix and the identity (X, /)|6| only with log^ |-4| — 1 random 
variables taking values in the finite filed F^. That is, the matrix 
(X, /) has small complexity. The construction and its proof 
are given in Appendix |B] 

As is shown in the Appendix |A] we obtain the following 
theorem. 

Theorem 1: When the ensemble of the functions {/x} is 
universal2, it satisfies 



Exff(/x(A)|P|P^^^) >logM 



(2) 



for < Vs < 1. 

Note that Bennett et al Q proved this inequality for the case 
of .s = 1. 

Since the mutual information 

/(/x(A) : E\P^^^) := H{f^{A)\P^) - H{f^{A)\E\P^^^) 

is bounded by logM - H{fy^{A)\E\P'^^'^), we obtain 



Ex/(/x(A) : E\P 



A.E\ 



< 



,0 < s < 1. 

(3) 



This inequality implies the following theorem. 
Theorem 2: There exists a function / from A to 
{!,..., M} such that 



HfiA) : E) < 



j^jSp-H, + s(A\E\P'' 



0<Vs<l. (4) 



Next, we consider the case when our distribution p^^^^ 
is given by the n-fold independent and identical distribution 
of P^^, i.e, (P^'^)". Ahlswede and Csiszar IS showed that 
the optimal generation rate 

G(P^^) 



:= sup 

{(/-.,A/,.)} 



lim 



log Mn 



lim 



H{UAn)) 



= 1 



logM„ 

equals the conditional entropy H{A\E). That is, the generation 
rate R = lim„^oo ^^^^^^ is smaller than H{A\E), Eve's 
information I{fn{An) ■ En) goes to zero. In order to treat the 
speed of this convergence, we focus on the supremum of the 
exponentially decreasing rate (exponent) of /(/„(A„) : En) 
for a given R 

e/(P^^|P) 



sup < lim 

{(/„,M„)}i«^°° 



-\0gI{fn{An):En) 
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Since the relation i7i+s(A„|£'„|(P'^'^)") = (a, e) G fi, the conditional distribution P'^l^(ale) is defined 

nHi+siAlElP"^'^) holds, the inequality implies that by 

eiiP^^\R)>ma^^H,+AA\E\P^''')-sR. (5) f,A\E,^,^, j P^l^(ale) if P^\^ {a\e) < p^^^^i^) 



Since ^Hi+siA\E\P^^^)\^^^ ^ H{A\E), Eve's informa- 
tion I{fn{An) : En) exponentially goes to zero for R < When (a, e) ^ Q, we define P"*l^(a|e) satisfying that 

HiA\E). . 

P^l^(a|e) < P^l^(a|e) < ^, 

B. Method based on smooth min-entropy /7=,yll£;/ i \ nAlB/ i w 

, „ 2^ (^^ ' (a|e) - P ' (a|e)) 

Renyi entropy of order 2 i/2(^|i?|P ) is bounded by the {a,e)fn 

^'^-'^'^^Py = ^ (F^l^(a|e)-P^l^(a|e)). 

i?„„,(A|£;|P^'^) min - log P^l^(a|e), (a,e)en 

a,e:P'*.E(a,e)>0 

. . . Then, dfP-^.-E pA,B) < 2e. Since 

I.e., the mequality ^ ' ' — 

H^iAlElP^'"") > i/„„(A|P|P^^^) H,n,n{A\E\P^^^) > -logp;^i^, 

holds. Then, (EJ with s = 1 yields that '^'^^^ 

Ex log A/ + H{E\P^'^) - H{f:)^{A)E\P'^^^) ^™„(^l^^l^'^''^) > H^mniAlElP^''^). 

=Ex logM - H{fx{A)\E\P'^'^) When P-^^^ satisfies the condition given in 

<Me-^™(^l^l^""). (6) \{H{E\P^^^)~Hif^{A)E\P^'^)) 

Renner and Wolf ^ introduced the smooth min-entropy: - {H{E\P'^^^) - H{fy^{A)E\P^'^))\ 

H:^,,M\E\P^^^) <2ij{e,log\A\-M). 



max min _logP^I^(a|e). (7) Hence, 

n:P^.'^{n)>l-e (a,e)60 



E I(f (A) • E\P ] 

for £ > 0. This definition is different from that of Renner lfT4l. x uxv ; • I ) 

Modifying the discussion by Renner and Wolf [[16J, we can <ExlogM + H{E\P'^^^) - H{fy^{A)E\P^^'^) 

derive another upper bound of Ex/(/x(^) : E) based on the <Ex logM + H{E\P^'^) - H{fy^{A)E\P'^'^) 

smooth min-entropy W^^^{A\E\P'^'^) in the following way. _^ 277(6 log |^| • M) 

Using the variational distance .(P-, P-): <^,,-.:.(.,.,P-) + |^| . 

diP\P-) ^ - ^"(-)l' <Me--^=^(-l-l-^-) + 2,(.,log |^| • M) 

we have the continuity of the Shannon entropy in the following <Me ^■niiniME\P ) ^ 277(6, log |^| • M). 

sense: When d(P^, P'^) < i, the function ™ • 1. u a c rt t / a\ 

^ ' ^ — e' Thus, we obtam an alternative bound of ExJ(/x(^) : 

'nix, a) ~x\ogx + xa E\P^'^) as follows, 
satisfies the following inequality: Ex/(/x(^) : P|P"^'^) 

|i/(X|P^') - i/(X|P^')| <Im^n,MiA\E\P^'^) 

<77(d(P-, P-), log 1^1). - ,,tf>o A^^-"-"^-^'"'""^^ + 277(26, log 1^1 . M) 

Based on the variational distance, we define the following < min Me~^' 

modification: ii>iog4|.4| 

+ 277(2P^'^{P-^l^(a|6)>e-^},log|^|.A/). (9) 

H'^,n{A\E\P^''') 

:= max{ff„„;„(A|P|P^'^)|d(P^'^, P^^^) < 6}, (8) ^smg ®, we can evaluate e,(P^^|P) as follows. 

, -ir. KUT u ■ e,(P^^|P)> lim — log/™„,e-(A|i?|(P^-^r) 

where P^'^ is a probability distribution. n 

For < 6 < 1/2, we choose satisfying the condition Cramer Theorem yields that 

in Q. Then, pi^^^{n) := max(,,e)en ^^l^(a|e) > ^- We ^ _^ 

define the joint distribution P^"^(a,e) satisfying P^(e) = ni^S* V > e } 

P^(e) in the following way. For this purpose, it is sufficient to _ ^^^^ Hi^siAlElP"^'-^) — sR' 

define the conditional distribution P'^'^fale) for all e. When 
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Thus, 

lim — logF„(i?) = rmixHi+,{A\E\P^^'^) - sR' . 

n—ioo n s>0 

where 

Pn{R) 

:=?7(2(P-^'^)"{(P^I^)"(a|e) > e""^'}, log |^re"^). 
Therefore, 

4 



lim log 

n— >oo Ji ' 



= max mm{max Hi+s{A\E\P'^-'^) - sR',R' - R}. 

maxs>o ^^i+s(^|-B|P'^'-^) — sR' is continuous and mono- 
tone decreasing concerning R' and R' — R is continuous 
and monotone increasing concerning R' . Thus, the above 
maximum is attained when maxs>o -ffi+s(^|£'|P'^'^) — 
sR' ~ R' — R. Let sq be the parameter ,s attaining the 
above. Then, Hi+soiA\E\P^'^) - sqR' = R' - R and 
f^Hi+sM\E\P'^^^)\s=so = R'- Thus, 



max min{maxi/i+s(A|_E|P 



A.,E\ 



R':R'>B. 
1 



sR', R' - R} 



So 



1 



-R 



1 



max Hi+s{A\E\P 



A.E\ 



So 

s 



-R. 



(10) 



s>0 1 + s ^ ' ' ' ' 1 + s 

where the last equation can be checked by taking the deriva- 
tive. This value is smaller than the bound given by (|5]l. 

III. The wire-tap channel in a general framework 

Next, we consider the wire-tap channel model, in which the 
eavesdropper (wire-tapper). Eve and the authorized receiver 
Bob receive information from the authorized sender Alice. In 
this case, in order for Eve to have less information, Alice 
chooses a suitable encoding. This problem is formulated as 
follows. Let y and Z be the probability spaces of Bob 
and Eve, and X be the set of alphabets sent by Alice. 
Then, the main channel from Alice to Bob is described by 
: X H> W^, and the wire-tapper channel from Alice 
to Eve is described by : x n- W^. In this setting, 

Alice chooses M distributions Qi,-.-,Qm on X, and she 
generates x E X subject to Qi when she wants to send the 
message i £ {I, . . . , M}. Bob prepares M disjoint subsets 
2?i, . . . , Dm of y and judges that a message is i if y belongs to 
V,. Therefore, the triplet (M, {Qi, . . . ,Qm}, {Vi, Vm}) 
is called a code, and is described by $. Its performance is 
given by the following three quantities. The first is the size 
M, which is denoted by |$|. The second is the average error 
probability €b{^)- 

M 

and the third is Eve's information regarding the transmitted 
message Ie{^)' 



dof \ - 1 
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In order to calculate these values, we introduce the following 
quantities. 



^{s\W,p) := log^ 

V \ X / 



where Wp{y) J2xPi^)^x{y)- The following lemma gives 
the properties of these quantities. 

Lemma 1: The following properties hold. 

(1) The function^ i—> e'^i'^^'^'P^ is convex for s G [—1, 0], 
and is concave for s G [0, 1]. 

(2) The function p n> e'''^'*!^'^^ is concave for s G [0, 1], 



Proof: Property (1) follows 
and concavity of x^^** for the 
s. Property (2) can be shown 
the divergence Ds{p\\q) 



from the convexity 
respective parameter 
as follows. Using 
T.M^)i& for 

the joint concavity 

^{l~\)Ds{p\\q2)[5\ 

< 



s G [0,1]. we obtain 
The concavity of a;'' implies 
D,{p\\Xqi + (1 - X)q2) > XD,{p\\qi 
Thus, Ea q{a)pix\a)D,{W4Wp^\,)) 

EaExlici)pix\a)Ds{W,\\Wp) when p{x) 
E g(a)p(x|a). Therefore, we obtain the concavity of 

Now, using the functions 0(s) and ip{s), we make a code 
for the wire-tap channel based on the random coding method. 
For this purpose, we make a protocol to share a random 
number First, we generate the random code $(Y) with size 
LM, which is described by the LM independent and identical 
random variables Y subject to the distribution p on X. For 
integers I = 1,...,L and m — 1,...,M, let 2?;'j^(Y) be 
the maximum likelihood decoder of the code fE'(Y). Gallager 
|fT3l showed that the ensemble expectation of the average error 
probability concerning decoding the input message A is less 
than (A/P)-'e'^(""l^ -p^ for < s < 1. After sending the 
random variable A taking values in the set with the cardinality 
AIL, Alice and Bob apply the above universal2 function /x 
to the random variable A and generate another piece of data 
of size M. Then, Alice and Bob share random variable /x(^) 
with size M. This protocol is denoted by $(X, Y)' 

Let E be the random variable of the output of Eve's 
channel . Since the random variable A obeys the uniform 
distribution p' :— Pmix^<s>(y) on the code $(Y) with size ML, 
we obtain 



^M'LS^^H,^^iA\E\P^ 



(11) 
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For a given code <I>(Y), we apply the inequality (|3]l to the 
average of Eve's information. Then, 



Ex|Y/ij($(X,Y)') 



<- 



< s < 1. 



(12) 



The concavity of e'^^^'^ 'P-* (Lemma [T]! guarantees that 

gV(s|VK^,p„.i,,4.(Y)) 



Ex,Y/i;($(X,Y)') < Ev- 



il's 



< 



Us 



< s < 1. 



(13) 



Now, we make a code for wire-tap channel by modifying 
the above protocol $(X, Y)'. First, we choose the distribution 
Qi to be the uniform distribution on f^{i}. When Alice 
wants to send the message i, before sending the random 
variable A, Alice generates the random number A subject to 
the distribution Qi. Alice sends the random variable A. Bob 
recovers the random variable A and Applies the function /x- 
Then, Bob decodes Alice's message i, and this code for wire- 
tap channel W^,W^ is denoted by $(X,Y). This protocol 
$(X,Y) has the same performance as the above protocol 
$(X, Y)'. 

Finally, we consider what code is derived from the above 
random coding discussion. Using the Markov inequality, we 
obtain 

Px,Y{eB($(X, Y)) < 2Ex,YeB($(X, Y))r < ^ 

Px,y{/£($(X,Y)) <2Ex,Y/£;($(X,Y))r < ^ 

Therefore, the existence of a good code is guaranteed in the 
following way. That is, we give the concrete performance of 
a code whose existence is shown in the above random coding 
method. 

Theorem 3: There exists a code $ for any integers L, M, 
and any probability distribution p on X such that 



|$| = M 
eB($) < 2 min (MLYe'^ 

0<s<l 



/_e($) < 2 min ■ 

0<s<l 



(14) 



(15) 



In fact, Hayashi fS) proved a similar result when the right 

hand side of ( fTSl l is replaced by 2mino<s<i/2 

Remark 1: In the above derivation, the concavity 
of q'>P(s\v^ -.p) concerning p is essential. The quantity 
^-Hi^s[A\E\p ) ^^jj regarded as a function of p, but it is 
not concave. The quantity e^^^+='^^^^^^ ' can be described 
by e'^(^l^''^P) via O only when p is a uniform distribution 
on the set with the cardinality ML. Otherwise, the quantity 



In the n-fold discrete memoryless channels VF^" and 
VF^" of the channels and , the additive equation 
0(s|M^^",p) = n(l){s\W^ ,p) holds. Thus, there exists a code 
$„ for any integers L„,Af„, and any probability distribution 
p on X such that 

eB($) < 2 min (M„i„)'e"'^(-'l'^''''') 

~ 0<s<l 



Isi^n) < 2 min 



„nV(s|W^,p) 



0<s<l Lis 



(16) 



Since lim^^o ^^"^'^^ '^-^ = /(p : W^), the rate maxp/(p : 
W^) — I{p : W^) can be asymptotically attained. 

When the sacrifice information rate is R, i.e., L„ ^ e"^, 
the decreasing rate of Eve's information is greater than 
e^(i?|VF^,p) := maxo<s<i si? - Hayashi |1 

derived another lower bound of this exponential decreasing 
rate e^{R\W^,p) := maxo<s<i/2 sR - (j){s\W^,p). 

IV. Comparison with existing bound 
Now, we compare the two upper bounds - — jj^ and 

i/)(s|W-^,p) 

- — jj^ — . Holder inequality with the measurable space (A", p) 
is given as 



Y,Pi^)Xix)Y{x)\ 



<{Y,p{x)\x{x)\T^y-^Y.p(^)\Y^^)\'y 

Using this inequality, we obtain 



Wp{y)' 



< 



J2p{x){wAy))^] . 



Taking the summand concerning y, we obtain e'^f^l^ 'P^ < 
g4>is\w ,p) 'pjj^j Q^J. upper bound is better than that given 
by [8|. 

Next, in order to consider the case when the privacy ampli- 
fication rate R is close to the mutual information I{p : W), we 
treat the difference between these bounds with the limit s ^ 0. 
In this case, we take their Taylor expansions as follows. 



-Hi + ,{A\E\P'^-'^} 



cannot be given as function of e'''(''l'^''^P) 2^PxW:r(y) Wp{y) 
via ( fTTT i. Therefore, in the above derivation, we have to apply 
the following steps with the given order. In the first step, we 

transform the bound (O with the quantity e^^i+=("*l^l^ ' ^ / ^ \ 

to a function of e^^'^^" ■^'^ via O, in which p is a uniform ^ ^PxW^{y)^ \ 
distribution with the cardinalitj ML. In the second step, we y V ^ / 
apply the concavity of e'''*^*'^ 



^1 + I{p : W)s + I2{p- W)s'^ + /ab : W)s^ 

l-s 



a + lip : W)s + I2{p-- W)s^ + [hip : W) + hip : W))s^ 
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where 

hip-.w) 

h{p : W) 
hip ■■ W) 



x,y 

y X 



Wpiy) 

Indeed, applying the Schwarz inequahty to the inner product 

{f,g) ■= f2xP^^^(y)f(y)9{y)^ we obtain 

X X 

>^PxW^[v)\ogW.Mf- 

X 

Since 'YlixP^^xiy) = Wp{x), this inequahty impHes that 
hip ■■W)>0. That is, e'^f^l^'^'P) is smaller than e'^'^'^^^'P^ 
only in the third order when s is small. 

Next, we consider a more specific case. A channel 
is called additive when there exists a distribution such that 
W'^(z) ~ P{z — x). In this case, - — can be sim- 
plified as follows. When X = Z and A" is a module and 
Wx{z) = Wq{z ~x) — P{z — x), the channel W is called ad- 
ditive. Any additive channel satisfies e^{R\W^ ,pmix) > 
etf,{R\W^ ,Pmix), where pmix is the uniform distribution on 
X. This fact can be shown as follows. Since 



(17) 



we obtain e^{R\W^ ,praix) = maxQ<s<i s{R - \og\X\) + 
Hi+s{X\P) > maxo<,<i - log|^|) + 

Hi+s{X\Pj) = e4i?|M^^,p™„), where t = 
Fig. [U shows the comparison of e^{R\W^ ^Pmix) 
and e4,(R\W^ ,pmix) with e^^2(.R\W^ ,pmix) 
(i? - log|A'|) + H2{X\P), which is directly obtained from 
Bennett et alLU- When i? - log | A" | > —l-^Hi+s{X\P%=i, 
e^(i?|VF^,p„„) = e^^2{R\W^,p^,x)- 

exponent 




0.15 0.192745 



0.35 0.388457^ 



Fig. 1. Normal line: e^(R\W^ ,Pmix) (The present paper). Thick 
line: e^{R\W^ ,Pmix) (HayashifS |), Dashed line: e^^2{R\W^ ,Pmix) 
(Bennett et alfH). p = 0.2, log 2 - h{p) = 0.192745, loglA"] - 
-I /fi+,(X|P)U=i = 0.388457. 



Next, we consider a more general case. Eve is assumed to 
have two random variables z e A" and z' . The first random 
variable z is the output of an additive channel depending 
on the second variable z'. That is, the channel W^{z,z') 
can be written as W^izjz') = P^^^ (z — x,z'), where 
pX,z jg a joint distribution. Hereinafter, this channel model is 
called a general additive channel. This channel is also called 
a regular channel|9|. For this channel model, the inequality 
e^{R\W^,Pm.ia:) > e^{R\W^,Pmix) holds because 

V. Wire-tap channel with linear coding 

In a practical sense, we need to take into account the 
decoding time. For this purpose, we often restrict our codes 
to linear codes. In the following, we consider the case where 
the sender's space X has the structure of a module. First, we 
regard a submodule Ci C X as an encoding for the usual 
sent message, and focus on its decoding {Vx^xi^Ci ^y the 
authorized receiver. We construct a code for a wire-tap channel 

*Ci,C2 = {\CilC2\,{Q[x]][x]eCi/C2A'^[x]][x]eCi/C2) based 
on a submodule C2 of Ci as follows. The encoding Q\^x] is 
given as the uniform distribution on the coset [x] := x + C2, 
and the decoding V^.^] is given as the subset \Jx'ex+C2T^x' ■ 
Next, we assume that a submodule (72(X) of Ci with car- 
dinality |(^2(X)| = L is generated by a random variable X 
satisfying the following condition. 

Condition 2: Any element a; ^ G Ci is included in 
C2(X) with probability at most -j^. 

Then, the performance of the constructed code is evaluated 
by the following theorem. 

Theorem 4: Choose the subcode (72(X) according to Con- 
dition |2] We construct the code $Ci.C2(x) by choosing the 
distribution Qy^] to be the uniform distribution on [x] for 
[x] e Ci/C2(X). Then, we obtain 



Ex/£;($Ci,C2(x) 



„V(s|VK^,P„ 



<- 



0<Vs<l, (19) 



where Pmix.s is the uniform distribution on the subset S. 

Proof: This inequality can be shown by ([3]) as fol- 
lows. Now, we define the joint distribution P{x, z) := 
Pmi^,Ci{x)Wx {z). The choice of Q\^x] corresponds to a hash- 
ing operation satisfying Condition 1. Then, ((Sj yields that 

Ex/is(4'ci,C2(x)) IS bounded by ^ — ^ = 

V(s|W^,J'„ix,Ci) 



L's 



-, which implies ( fT9] l. 



Next, we consider a special class of channels. When the 
channel is additive, i.e., W^iz) ~ P{z — x), the equation 

V'(s|W^^,-Pmix,Ci+a;) = W^^, ^'mix,Ci ) holds for any X. 
Thus, the concavity of e^'--^^^ '^^ (Lemma[T} implies that 

^(s|VF^,p;„i,,cJ < ^{s\W'',P^i^,x)- (20) 
Thus, combining ( fT9l l. (|20| |. and dTTI l. we obtain 

Ex/b(*Ci,C2(x)) <^ rs 0<Vs<l. (21) 

J-j S 
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Similarly, when the channel is general additive, i.e., 

W^{z, z') = P^^^\z-x, z'), combining (|20|, and ([Tl, 
we obtain 



Ex/£;(*Ci,C2(x)) < 



Us 



< Vs < 1. 

(22) 



When X is an n-dimensional vector space over the finite 
field ¥g, the subcode C2(X) of the random linear privacy 
amplification can be constructed with small complexity. That 
is, when Ci is equivalent to F™, an ensemble of the subcodes 
C2(X) satisfying Condition |2] can be generated from only the 
m — 1 independent random variables Xi,. . . ,X„i-i on the 
finite field ¥q as follows. 

When |C2(X)| — , we choose the subcode C2(X) as 
the kernel of the the concatenation of Toeplitz matrix and the 
identity (X, /) of the size m x {m — k) given in Appendix 
IB] Then, the encoding {Q[x]}ix]£Ci/C2{x) is constructed as 
follows. When the sent message is x G F^', it is transformed 
to {b,x ~ Xb)"^ e F™, where 6 = . . . , 6fc) are A: inde- 
pendent random variables. This process forms the encoding 
{Qm}wgCi/C2(x) because the set {{b,-Xb)'^\b e F^} is 
equal to C2(X). This can be checked using the fact that 
{X,I){b,x ~ X6)^ = X and the set {(&, -X&)'^|6 e F^^} 
forms a fc-dimensional space. 

Therefore, if the error correcting code Ci can be constructed 
with effective encoding and decoding times and is ad- 
ditive or general additive, the code ^Ci,C;(x) for a wire- 
tap channel satisfying the inequality ( 1211 1 or ( l22l i can be 
constructed by using random linear privacy amplification. 

Furthermore, for the n-fold discrete memoryless case of the 
wire-tap channel W^,W^, it is possible to achieve the rate 
I{Pimx,x ■ W^) - I{Pmi^,x ■ W^) by a combination of this 
error correcting and random linear privacy amplification when 
an error correcting code attaining the Shannon rate I{Pmix.x ■ 
W^) is available and the channel is general additive, i.e., 
W^{z, z') — P^'^ {z — x, z'). In this case, when the sacrifice 
information rate is R, as follows from the discussion of Section 
|IV]and ( |20] i. the exponent of Eve's information is greater than 
maxo<,<i s{R - log \X\) + H^+s{X\Z'\P^'^' ). 

This method is very useful when the channels and 
are additive. However, even if the channels are not additive or 
general additive, this method is still useful because it requires 
only a linear code and random privacy amplification, which is 
simpler requirement than that of the random coding method 
given in the proof of Theorem |3] while this method cannot 
attain the optimal rate. 

VI. Secret key agreement 

Next, following Maurer[rj, we apply the above discussions 
to secret key agreement, in which, Alice, Bob, and Eve are 
assumed to have initial random variables a ^ A, b ^ B, 
and e G f , respectively. The task for Alice and Bob is 
to share a common random variable almost independent of 
Eve's random variable e by using a public communication. 
The quality is evaluated by three quantities: the size of the 
final common random variable, the probability that their final 
variables coincide, and the mutual information between Alice's 



final variables and Eve's random variable. In order to construct 
a protocol for this task, we assume that the set A has a module 
structure (any finite set can be regarded as a cyclic group). 
Then, the objective of secret key agreement can be realized 
by applying the code of a wire-tap channel as follows. First, 
Alice generates another uniform random variable x and sends 
the random variable x' :— x — a. Then, the distribution of the 
random variables b,x' ie,x') accessible to Bob (Eve) can be 
regarded as the output distribution of the channel x H> 
(x H> W^). The channels and are given as follows. 

W,^{b,x') = P^^{x-x',b) 



W^{e,x') = P^''{x-x',e), 



(23) 



where P^^{a, b) {P"^^{a, e)) is the joint probability between 
Alice's initial random variable a and Bob's (Eve's) initial 
random variable b (e). Hence, the channel is general 
additive. 

Applying Theorem |3] to the uniform distribution P^^^, for 
any numbers M and L, there exists a code $ such that 

|<I>| = M 

2 min (Afiri^l-e-'^+^^'xt^^l-l^"^) 

0<s<l 



Ie(<^) < 2 min 

0<s<l 



\A\'e~"^ 



-(l+s)H 1 (A\E\P'^ 



because e"^'-"!^ .^^m^x.^) = \A\-''e 
and V(s|VF^,Pmix,^) = -Hi+s{A\E\P^'^) + s\og\A\. 

In particular, when X is an n-dimensional vector space 
F^ over the finite field Fg and the joint distribution between 
A and B{E) is the n-fold independent and identical dis- 
tribution (i.i.d.) of P^'^ (P^'^), respectively, the relations 
<?i(s|P^"-S") = n(l>{s\P^'^) and Hi+s{A"\E'''\{P^'^)'') ^ 
nHi+s{A\E\P^'-^) hold. Thus, there exists a code $„ for any 
integers L„, M„, and any probabiUty distribution p on X such 
that 



1$. 



Mr. 



es($) < 2 min (M„L„)"|^| 

0<s<l 



-n(l+s)H_j_ iA\E\P'^-'^) 



< 2 min 

0<s<l 



-nHi + ^{A\E\P^ 



(24) 



Hence, the achievable rate of this protocol is equal to 

I{Pn».,A ■■ - I{Pmi.,A ■ 

= H{P^) + H(P,ni,,^) - H{P^-^) 

- {H{P^) + i/(P,nix.^) - H{P^^^)) 

=H{P^) + H{P-^) - H{P^-^) 

- iH{P^) + HiP"^) - HiP"^^^)) 

=I{A : B) - I{A : E) = H{A\E) - H{A\B), 

which was obtained by Maurerll] and Ahlswede-Csiszar||2l. 
Here, since the channels and can be regarded as 
general additive, we can apply the discussion in Section [V] 
That is, the bound (l24l) can be attained with the combination 
of a linear code and random privacy amplification, which is 
given in Section IVl 



g 



VII. Discussion 

We have derived an upper bound for Eve's information in 
secret key generation from a common random number without 
communication when a universal hash function is applied. 
Since our bound is based on the Renyi entropy of order 1 + s 
for s £ [0, 1], it can be regarded as an extension of Bennett et 
al Q's result with the Renyi entropy of order 2. 

Applying this bound to the wire-tap channel, we obtain an 
upper bound for Eve's information, which yields an exponen- 
tial upper bound. This bound improves on the existing bound 
jB^I. Further, when the error correction code is given by a linear 
code and when the channel is additive or general additive, the 
privacy amplification is given by the concatenation of Toeplitz 
matrix and the identity. Finally, our result has been applied to 
secret key agreement with public communication. 
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Appendix A 
Proof of Theorem[T] 

The concavity of x H> x'* implies that 

M 

j^^^-m..iX\Pof^^) = Ex ^ P o f^\^)P o f^\^y 

i=l 

X x':f^{x)=f^{x') 

Condition [T] guarantees that 

Ex E ^(^') ^^^(^) + E ^(^')]^ 

x':fy^(x)=fy,(x') x=^x' 

Since any two positive numbers x and y satisfy {x + yY < 
+ for < s < 1, 

(pfx) + —Y < p(xy + —. 



Hence, 



X 

=y p{xf+- + — 



Therefore, taking the expectation with respect to the random 
variable E, we have 

The concavity of the logarithm implies 

iJi+,(^|i?|P^'^) < sHiA\E). 
Thus, From ( l25T l. the concavity of the logarithm yields that 

sExH{MA)\E) > Exi?i+.(A|£;|P^'^) 
>-logExe-«i+^('4|^l^^'") 

=slogM ~ log(l + M«e-^i+-'(^l^l^-''")) 

where the last inequality follows from the logarithmic inequal- 
ity log(l + x) < X. Therefore, we obtain (|2]l. 

Appendix B 
Toeplitz matrix 

The concatenation of Toeplitz matrix and the identity (X, /) 
of size nix (m — k) on the finite filed is given as follows. 
First, we choose an to — 1 random variables Xi, . . . , X„i^i 
on the finite filed ¥q. I is the {m — k) x (m — k) identity 
matrix and the k x {m — k) matrix X = (Xij) is defined by 
the TO — 1 random variables Xi, . . . , X„i-i as follows. 

Xij — Xij^j-i. 

This matrix is called a Toeplitz matrix. 

Now, we prove that the mx (m — k) matrices (X, /) satisfy 
Condition 121 More precisely, we show the following. (1) An 
element {x, y)^ £ F^' © ¥q belongs to the kernel of 

(X, /) with probability q'' if x ^ cind y ^ 0. (2) It does 
not belong to the kernel of the mx [m — k) matrix (X, /) if 
X = and y 0- 

Indeed, since (2) is trivial, we will show (1). For x — 
(xi, . . . ,Xk), we let i be the minimum index i such that Xi ^ 
0. We fix the k — i random variables Xi^(m-k)-i, ■ ■ ■ , X^-i- 
That is, we show that the element (x,y)^ belongs to the 
kernel with probability when the k — i random vari- 
ables Xi_|_(„j_fe)_i, . . . ,X„j_i are fixed. Then, the condition 
Xx + y = can be expressed as the following to — fc 
conditions. 

k 



XiXi = - 



j=i+i 

k 

j=i+l 



-Hi + ,,{X\P) 



Xi+m-k~2Xm-k-l — ^ Xjj^„i-k~2Xj — J/m-fc-l 

j=i+l 
k 

-^i+m — k—l'^m — k ^ ^ -Xj+m — k—l'^j V^n — k- 

j=i+l 



The (m — fc)-th condition does not depend on the ra ~ k — 
1 variables X;, . . . Hence, this condition only 

depends on the variable Xi+m-k-i- Therefore, the (m — fc)-th 
condition holds with probability 1/q. Similarly, we can show 
that the {rn — k — l)-th condition holds with probability 1/q 
under the (to — fc)-th condition. Thus, the (to — fc)-th condition 
and the (to — fc — l)-th condition hold with probability 
Repeating this discussion inductively, we can conclude that all 
TO — fc conditions hold with probability g^t™^*^). 
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